Multivendor Vulnerability Alert

Jakarta Tomcat Multiple Vulnerabilities

High

Alert ID:

5378

First Published:

2003 January 29 22:37 GMT

Last Updated:

2004 July 2 17:41 GMT

Version:

4

CVE-2003-0042

CVE-2003-0043

CVE-2003-0044

CVE-2003-0042

CVE-2003-0043

CVE-2003-0044

Summary

Jakarta Apache Tomcat versions 3.3.1 and prior contain several vulnerabilities. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and Java Server Pages technologies. The vulnerabilities can allow an attacker to exploit system trust and obtain sensitive information or execute arbitrary code.

An information disclosure vulnerability occurs when processing requests. Tomcat fails to correctly parse requests, allowing files such as index.html, index.jsp, and other welcome files to bypass authentication. An attacker can create a specially crafted request to obtain sensitive information from files and directory listings.

An additional information disclosure vulnerability exists in Tomcat when the system attempts to access a malformed web application. Tomcat fails to properly parse URLs. A specially crafted request containing a malicious URL can allow an attacker to access read-only files outside of the web application. The portion of the files that can be accessed includes parts of a XML document.

A cross-site scripting vulnerability exists in the sample web application, allowing attackers to execute code on the host system.

Updates are available.

Indicators of Compromise

Systems running Tomcat 3.3.1 or prior are vulnerable.

Technical Information

Jakarta Tomcat versions prior to 3.3.1a, when used with JDK 1.3.1 or earlier, allow remote attackers to list directories even with an index.html or other file present via a URL containing a null character. Tomcat also uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file.

HTTP requests containing binary null or backslash characters are parsed incorrectly by Tomcat's built-in web server. This may allow certain commands to retrieve the contents of files and directories that should not be visible to the outside. The source of .jsp files may be retrieved using this method.

The following GET request causes the directory listing of the web root to be displayed by Tomcat:

GET /.jsp HTTP/1.0

The servlet engine retrieves the directory listing and files as a .jsp file. Attackers may be able to exploit this vulnerability into running arbitrary Java code. A file whose name contains JSP tags could be run when a directory listing request is sent. HTML and other types of files with Java code embedded within may be compiled in the same way.

Remote users may also force .jsp files to be interpreted as plain HTML, displaying the source with the following command:

Administrators are advised to review the Important Security Note at the update link in Patches/Software. The update version includes example applications that are vulnerable to known cross-site scripting vulnerabilities. These examples should be removed.

Analysis

Cross-site scripting vulnerabilities occur when a web application gathers malicious data from a user. The information is usually gathered in the form of a hyperlink, or URL, which can contain malicious code. The user will most likely select the link from a web site, web board, e-mail, or from an instant message. The attacker can encode the malicious portion of the link to the site in hexadecimal so the request is less suspicious. Proceeding the collected data by the web application, an output page is created for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the web site. Administrators are advised to install the latest version, 3.3.1a, to prevent an attack.

Sample exploits have been posted to public sites and distributed on mailing lists, increasing the likelihood of attacks.

Safeguards

Administrators are advised to install the latest packages from the appropriate vendor to prevent an attack.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products